Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Authorization Failures Alarm

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CWL-002

Ensure there is an Amazon CloudWatch alarm created within your AWS cloud account that is triggered each time an unauthorized API call is made in order to respond quickly to unapproved actions.

This rule can help you with the following compliance standards:

  • CISAWSF
  • PCI
  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using Amazon CloudWatch alarms to detect unauthorized AWS API requests can help you keep your AWS account secure. For example, when managing the permissions of a large number of IAM users, mistakes can be made and certain users can receive unintended IAM access. With CloudWatch alarms these unintended API calls can be automatically detected, enabling you to act fast and revoke the unintended access.

Note 1: For this rule, Trend Cloud One™ – Conformity assumes that your Amazon CloudTrail trail is configured to stream event log data to a CloudWatch Logs log group, otherwise see this rule to enable and configure the CloudTrail – CloudWatch integration.
Note 2: You can specify a custom name for the CloudWatch alarm using the rule configuration settings available on your Conformity account console.


Audit

To determine if there is an Amazon CloudWatch alarm that is monitoring unauthorized API calls within your AWS cloud account, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

01 Navigate to Amazon CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

01 In the navigation panel, under Logs, choose Log groups.

01 Click on the name of the log group associated with your Amazon CloudTrail trail.

01 Select the Metric filters tab to access the metric filter(s) created for the selected log group.

01 On the Metric filters panel, search for the metric filter with the Filter pattern attribute value set to the following pattern: {($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*")}. If there is no metric filter configured with the specified pattern, created for the selected log group, the unauthorized API calls made within your AWS cloud account are not monitored using Amazon CloudWatch.

01 Change the AWS cloud region from the navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run describe-metric-filters command (OSX/Linux/UNIX) using the name of the CloudWatch Logs log group associated with your CloudTrail trail as the identifier parameter and custom query filters to list the name(s) of the metric filter(s) created for the selected log group. The following command example returns the name of each metric filter created for a log group named "cc-project5-log-group" that is associated with a multi-region CloudTrail trail:

aws logs describe-metric-filters
  --region us-east-1
  --log-group-name cc-project5-log-group
  --query "metricFilters[*].metricTransformations[*].[{"metricName": metricName, "metricNamespace": metricNamespace}] | []"

02 The command output should return the name and the namespace of each metric filter attached to the selected log group:

[
	[
		{
			"metricName": "VPCAccessFailure",
			"metricNamespace": "CloudTrailMetrics"
		}
	],
	[
		{
			"metricName": "RDSConnectionDrop",
			"metricNamespace": "CloudTrailMetrics"
		}
	]
]

03 Execute describe-metric-filters command (OSX/Linux/UNIX) using the name and the namespace of the Amazon CloudWatch metric filter that you want to examine as the identifier parameters, to describe the filter pattern configured for the selected metric filter:

aws logs describe-metric-filters
  --region us-east-1
  --metric-name VPCAccessFailure
  --metric-namespace CloudTrailMetrics
  --query "metricFilters[*].filterPattern"

04 The command output should return the requested metric filter pattern:

[
	"{ $.errorCode = \"AccessDenied\" }"
]

If the filter pattern returned by the describe-metric-filters command output is different than the following pattern: "{($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\")}", the selected Amazon CloudWatch metric filter is not configured to monitor CloudTrail trail logs for unapproved API calls.

05 Repeat steps no. 3 and 4 to check each metric filter attached to the selected log group for the specified filter pattern. If none of the metric filters created for the log group associated with your CloudTrail trail have the required filter pattern, the unauthorized API calls made within your AWS cloud account are not monitored using Amazon CloudWatch.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

Step 1: Create the Amazon SNS topic and subscription required to send email notifications whenever the Amazon CloudWatch alarm configured to detect unauthorized API calls is triggered:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon SNS console at https://console.aws.amazon.com/sns/.

03 In the navigation panel, under Amazon SNS, select Topics.

04 Choose Create topic to initiate the setup process for the new SNS topic.

05 On the Create topic setup page, perform the following actions:

  1. For Type, select Standard.
  2. For Name, provide a unique name for the new SNS topic.
  3. (Optional) For Encryption – optional, choose Enable encryption if you want to enable Server Side Encryption for the new topic. Select a Customer Master Key (CMK) or enter the ARN of an existing CMK in the Customer master key (CMK) box.
  4. (Optional) For Tags – optional, create and configure tags sets for the new SNS topic. You can use tags to search and filter your topics and track your costs.
  5. Choose Create topic to create your new Amazon SNS topic.

06 On the newly created SNS topic page, select the Subscriptions tab, and choose Create subscription.

07 On the Create subscription setup page, select Email from the Protocol dropdown list, provide the email address where you want to receive alert notifications in the Endpoint box, then choose Create subscription to apply the new subscription to your Amazon SNS topic.

08 Use your preferred email client to open the subscription message from the AWS Notifications, then click on the appropriate link to confirm your SNS subscription.

Using AWS CLI

01 Run create-topic command (OSX/Linux/UNIX) to create the Amazon SNS topic required to send alert notifications whenever unauthorized API calls are detected within your AWS cloud account:

aws sns create-topic
  --region us-east-1
  --name cc-cloud-alert-sns-topic

02 The command output should return the Amazon Resource Name (ARN) of the newly created SNS topic:

{
	"TopicArn": "arn:aws:sns:us-east-1:123456789012:cc-cloud-alert-sns-topic"
}

03 Run subscribe command (OSX/Linux/UNIX) to subscribe to the Amazon SNS topic created at the previous step using one or more email addresses as subscription endpoints:

aws sns subscribe
  --region us-east-1
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-cloud-alert-sns-topic
  --protocol email
  --notification-endpoint alert@cloudconformity.com
  --return-subscription-arn

04 The command output should return the ARN of the new SNS subscription:

{
	"SubscriptionArn": "arn:aws:sns:us-east-1:123456789012:cc-cloud-alert-sns-topic:abcdabcd-1234-abcd-1234-abcd1234abcd"
}

05 Run confirm-subscription command (OSX/Linux/UNIX) to confirm the new SNS subscription by validating the token sent to the subscription endpoint (i.e. your email address) specified at the previous step (the command should not produce an output):

aws sns confirm-subscription
  --region us-east-1
  --topic-arn arn:aws:sns:us-east-1:123456789012:cc-cloud-alert-sns-topic
  --token 5877392f37fb687f5d51e6e241d7700ae02f7124d8268910b858cb4db727ceeb2474bb937929d3bdd7ce5d0cce19325d036bca58d3c217426bcafa9c501a2cac5646456gf1dd3797627467553dc438a8c974119496fc3eff026eaa5d15578ded6f9a5c43aec62d83ef5f49109da730122

Step 2: Create the CloudWatch metric filter and the associated CloudWatch alarm that will fire whenever an authorization failure will occur within your AWS cloud account:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

03 In the navigation panel, under Logs, choose Log groups.

04 Click on the name (link) of the log group associated with your Amazon CloudTrail trail.

05 Select the Metric filters tab and choose Create metric filter.

06 On the Create metric filter setup page, perform the following actions:

  1. For Step 1 Define pattern, paste the following pattern in the Filter Pattern configuration box: {($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*")}. This filter pattern will be used to scan your Amazon CloudTrail trail logs for "AccessDenied" and "UnauthorizedOperation" events. Choose Next to continue the setup process.
  2. For Step 2 Assign metric, provide the following information:
    • In the Filter name box, enter a unique name for the new filter.
    • In the Metric namespace box, type CloudTrailMetrics.
    • In the Metric name box, type AuthorizationFailure for the metric name.
    • In the Metric value box, type 1.
    • (Optional) Choose Count from the Unit – optional dropdown list.
    • Choose Next to continue.
  3. For Step 3 Review and create, review the new metric filter configuration data, and choose Create metric filter.

07 On the Metric filters panel, select the newly created metric filter, and choose Create alarm.

08 On the Create alarm setup page, perform the following operations:

  1. For Step 1 Specify metric and conditions, perform the following actions:
    • In the Metric section, select Sum from the Statistic list, and choose 5 minutes from the Period dropdown list.
    • In the Conditions section, select Static as Threshold type. For Whenever AuthorizationFailure is…, select Greater/Equal (greater than or equal to), and enter 1 as the threshold value within than… configuration box to trigger the CloudWatch alarm every time there is an AWS cloud API authorization failure.
    • Choose Next to continue the setup process.
  2. For Step 2 Configure actions, define the alarm state that will trigger the CloudWatch alarm action by selecting In alarm under Alarm state trigger, then choose Select an existing SNS topic and select the name of the SNS topic created at Step 1 from the Send a notification to… list. Choose Next to continue.
  3. For Step 3 Add name and description, provide a unique name and a short description (optional) for your new CloudWatch alarm in the Alarm name and Alarm description boxes. Choose Next to continue.
  4. For Step 4 Preview and create, review the alarm configuration details, then choose Create alarm to create your new Amazon CloudWatch alarm. Once the data is loaded, the State (status) of the newly created alarm will change from Insufficient data to OK.

Using AWS CLI

01 Run put-metric-filter command (OSX/Linux/UNIX) to create the required CloudWatch metric filter and associate it with your Amazon CloudTrail trail. The pattern defined as value for the --filter-pattern command parameter will be used to scan your Amazon CloudTrail trail logs for "AccessDenied" and "UnauthorizedOperation" events (if successful, the command should not return an output):

aws logs put-metric-filter
  --region us-east-1
  --log-group-name cc-project5-log-group
  --filter-name AWSCloudAuthorizationFailure
  --filter-pattern '{($.errorCode = "*UnauthorizedOperation") || ($.errorCode = "AccessDenied*")}'
  --metric-transformations metricName=AuthorizationFailure,metricNamespace=CloudTrailMetrics,metricValue=1

02 Run put-metric-alarm command (OSX/Linux/UNIX) to create the Amazon CloudWatch alarm that will fire whenever an authorization failure will occur in your AWS cloud account (if successful, the command does not produce an output):

aws cloudwatch put-metric-alarm
  --region us-east-1
  --alarm-name "AWSAuthorizationFailureAlarm"
  --alarm-description "Triggered when unauthorized AWS API calls are made"
  --metric-name AuthorizationFailure
  --namespace CloudTrailMetrics
  --statistic Sum
  --comparison-operator GreaterThanOrEqualToThreshold
  --evaluation-periods 1
  --period 300
  --threshold 1
  --actions-enabled
  --alarm-actions arn:aws:sns:us-east-1:123456789012:cc-cloud-alert-sns-topic

References

Publication date Aug 18, 2016